Null Pointer Vulnerability Protection Technology-improvement

Null Pointer Vulnerability Protection Technology-improvement
In this article, we introduced the concept of NULL pointer and Null Pointer Vulnerability. In this advanced article, we will introduce the use of NULL pointer and corresponding protection mechanisms.
Author: Sun jianpo
Directory 1 improvement: Use of null pointers
1.1 Introduction to ZwAllocateVirtualMemory
1.2 ZwAllocateVirtualMemory function knowledge
1.3 zero page memory allocation instance win7 vs win8
2 improvement: windows zero-page memory Protection Mechanism
2.1 build a kernel debugging environment
2.1.1 Virtual Machine and debugging environment
2.1.2 configure to start windbg
2.2 cross-stack debugging of user State and kernel state
2.2.1 user State program debugging in the kernel
2.2.2 entering the kernel state
2.3 reverse analysis nt! NtAllocateVirtualMemory
2.3.1 NtAllocatevirtualMemory parameter confirmation
2.3.2 search for the Zero-page Memory Security Mechanism of NtAllocatevirtualMemory
2.3.3 confirm the zero-page Memory Security Mechanism of NtAllocatevirtualMemory
2.3.4 search for other zero-page memory protection functions in the kernel
3. Conclusion
1. Improve: the use of null pointers I have introduced some concepts and related knowledge about null pointers, and I have learned about what a null pointer is, the NULL pointer vulnerability caused by the wild pointer is not the focus of today. Next, we will introduce in detail the Null Pointer Vulnerability pointing to zero page memory.
These vulnerabilities are exploited in two ways:
Use the NULL pointer. Use zero-page memory to allocate available memory space

In the first case, NULL pointers can be used to bypass condition judgment or secure authentication. For example, X.0rg NULL pointer reference denial of access Vulnerability (CVE-2008-0153), such as the comparison before and after the patch modification:

From the code patch, we can see that this vulnerability uses the NULL pointer to change the program process to trigger the vulnerability.

In the second case, the zero-page memory can also be used in some cases, such as the following two cases:

In windows 16 or windows 16 virtual systems, the zero-page memory can be used. Running the DOS program on windows 32-bit systems will start the NTVDM process, the process uses zero-page memory. Allocate zero-page memory in the process through system calls such as ZwAllocateVirtualMemory (before Windows 7 7 ).

 

Next, we will use the ZwAllocateVirtualMemory API function to intuitively see the differences in zero-page memory allocation between Windows 7 7 and win8 systems.

1.1 Introduction to ZwAllocateVirtualMemory

The zwAllocateVirtualMemory function applies for a piece of memory in the virtual space of the specified process. Does it call the zwAllocateVirtualMemory function as long as the memory application space is used? ZwAllocateVirtualMemory needs to be called according to the actual situation.

Heap allocation, usage, and collection are all managed by Microsoft APIs. The most common APIs are malloc and new. The underlying call is HeapAlloc, and HeapCreate is used to create a heap. The zwAllocateVirtualMemory function is called as follows:

. HeapCreate-> RtlCreateHeap-> ZwAllocateVirualMemory, heapSegmentCommit indicates the memory size to be submitted.

The figure shows that the default application size is 0x100000, and the default submission size is 0x2000. Is the function call stack relationship when zwAllocatevirtualMemory is called using the Heapcreate function.

The figure shows the function call process.

HeapAlloc-> RtlAllocateHeap-> ZwAllocateVirualMemory. The memory application here is a memory application submitted by Heapcreate. The heap manager divides the memory into blocks to meet the application requirements. The ZwAllocateVirualMemory function is called again only when the applied memory is insufficient. ** That is to say, we usually use * malloc * or * new * \ * to apply for a small memory on the stack, we will not call this function. ** Note this. It shows the process of calling ZwAllocateVirualMemory using HeapAlloc:

C. Use zwAllocateVirtualMemory to allocate memory directly. For the zwAllocateVirtualMemory function, Microsoft does not provide a public document, but you can learn how to use this function through relevant information or reverse. Directly use the zwAllocateVirtualMemory function to allocate memory. First, load the module where the function is located and obtain the symbolic address of the function. Because this function provides comprehensive parameters, it is more flexible to use this function to allocate memory space.

1.2 ZwAllocateVirtualMemory function knowledge

ZwAllocateVirtualMemory this function applies for a piece of memory in the virtual space of the specified process. By default, the size of the memory is 64 KB.

PHP

NTSYSAPI NTSTATUS NTAPI **ZwAllocateVirtualMemory** (IN HANDLE *ProcessHandle*, IN OUT PVOID **BaseAddress*, IN ULONG *ZeroBits*, IN OUT PULONG *RegionSize*, IN ULONG *AllocationType*, IN ULONG *Protect*);

Two main parameters:

Return Value

If the memory space application is successful, 0 is returned. If the application fails, various NTSTATUS codes are returned.

 

From the zwAllocateVirtualMemory description, we wanted to use the BaseAddress parameter to allocate space in the zero-page memory. However, when BaseAdress is set to 0, the system will find the first unused memory block for allocation, instead of allocating in zero page memory. How can we allocate zero page memory?

1.3 zero page memory allocation instance win7 vs win8

After learning how to use zwallocatevirtualmemory, we can use this function with examples to see how to use this function for zero-page memory allocation. When we set BaseAdress to 0, we cannot allocate space in the zero-page memory. We need to use other methods to allocate space in the zero-page memory. In the AllocateType parameter, one allocation type is MEM_TOP_DOWN. This type indicates that the memory is allocated from top to bottom. At this time, specify BaseAddress as a low address, such as 1, and specify that the size of the allocated memory is greater than this value, such as 8192 (a memory page ), after the allocation is successful, the address range is 0xFFFFE001 (-8191) to 1 to include the 0 address. Then, try to write data to the address executed by the NULL pointer, and the program will not be abnormal. In this way, we find that when the 0 address is allocated with memory, it will also be allocated with memory in the high address (kernel space) (of course, there will certainly be an error when using the high address, because it is in the user space ).

The following example shows how to allocate memory on zero pages.

When you are familiar with windows programming, it is not difficult to understand the above Code. Get the module handle, get the zwAllocateVirtualMemory function address, and pass the parameter to call this function. The baseaddress value is 4, the parameter type includes MEM_TOP_DOWN, that is, the memory is allocated from top to bottom. Therefore, if successful, the address 4-0 in the zero page memory will be allocated; the function returns 0, indicating that the memory allocation is successful. Then, assign a value to the 0 address and print it again. Then, view the result.

To compare the running results of windows and Windows 8 systems, we need to prepare two clean systems windows and Windows 8. Here we use 32-bit systems.

Compile and run the program in win7. The running result is as follows:

From the display results, the zwAllocateVirtualMemory function is indeed allocated 4-0 address space on the zero memory page, that is, we can use zwAllocateVirtualMemory to successfully allocate space in the zero page memory.

Compile the program in the win8 system at the same time. If the F5 debugging result is as follows:

Or CTRL + F5 for non-debugging, the result is as follows:

In the win8 system, after zwallocatevirtualmemory is called, the function returns non-0 and the return value is 0Xc00000f0. In the end, no space is allocated in the zero page memory. That is to say, in the win8 system, zero-page memory is protected, leading to failure in allocating memory at zero-page addresses.

Next, let's take a look at the protection for NULL Pointer, that is, the zero-page memory, in the win8 system.

2 improvement: windows zero-page memory Protection Mechanism

Win8's zero-page memory protection mechanism can be found through the search engine: in the *** WIN8 *** system, the *** flags *** field in the kernel process structure *** EPROCESS *** is used. * Vdmallowed * \ * Indicates whether to allow access to the zero-page memory. ** However, we do not know why it is not our goal. What we need to do is to analyze win8's zero-page memory protection mechanism through reverse and dynamic debugging without relying on other documents.

2.1 build a kernel debugging environment

To explore the implementation of Win8's zero-page memory protection mechanism in the kernel, you must first build an environment that can debug the kernel. Use the example given above and kernel debugging to analyze the security mechanism. I have already introduced how to set up the kernel environment in the previous article. I will try again here.

5.1.1 Virtual Machine and debugging environment

Build the kernel debugging environment and adopt the dual-machine debugging mode. Install the win8 System in the Virtual Machine and configure the win8 debugging mode.

The installation of the win8 system by Vmware is not detailed. After the system is started:

 

Open CMD as Administrator

 

After completing the configurations, close the VM, enable the win8 VM configuration option, delete the parallel port, add the serial port, and configure the serial port, for example:

After vmware is configured, start the VM to enter the debugging mode, for example:

5.1.2 configure to start windbg

To debug the kernel in dual-host mode, you need to configure the windbg tool. Now, install windbg On the host. Create a shortcut for windbg and enter the following content in Properties> target:

PHP

"C:\program file\WinDbg(x64)\windbg.exe" -b -k com:pipe,port=\.\pipe\com_1,baud=115200,resets=0,pipe

The Windbg path varies with the installation path.

Start windbg. Because my host is Windows 7, if you directly double-click the windbg shortcut

This is a lack of necessary permissions, so when you start the windbg shortcut, you need to start with the Administrator permission. After the startup is complete, you can perform kernel-level debugging with the win8 System in the virtual machine, the results after startup are as follows:

After the Basic Environment for kernel debugging is created, you must configure a symbol table for windbg to view windows system functions and calling relationships more intuitively, so that windbg can identify windows standard export symbols, to facilitate nullpointer debugging, you also need to load the symbol table of the program.

The kernel debugging environment has been set up.

 

2.2 cross-stack debugging of user State and kernel state

This is a key part of dynamic debugging and the most important part.

5.2.1 user State program debugging in the kernel

After the environment is configured above, run the G command in windbg to start debugging. After the program is started, press and hold CRTL + BREAK in windbg to BREAK it to the debugger. At this time, the win8 system is interrupted and no commands are run.

Debugger disconnected

We know that when zwallocatevirtualmemory is called in win7 and win8, The win8 system cannot allocate space in the zero-page memory because of the zero-page memory protection mechanism. Starting with nullpointer debugging, we can call zwallocatevirtualmemory to debug the kernel state program to understand the security mechanism.

But now windbg is in the kernel debugging status, view all started processes

Switch to the nullpointer process. The nullpointer symbol table is loaded. View the disassembly of the main function, as shown in:

5.2.2 entering the kernel state

Follow up the function and enter

Before entering the sysenter command, if you have some knowledge about the windows system, you will know that the function uses this call to enter the fast system call, that is, the user State will enter the kernel state.

SYSENTER is used to quickly call a zero-layer system process. SYSENTER is the companion instruction of SYSEXIT. This command is optimized to maximize the performance of system calls initiated by user code (running at Layer 3) to the operating system or execution Program (running at Layer 0.

Before calling the SYSENTER command, the software must use the following MSR registers to specify code segments and code pointers at Layer 0, stack segments at Layer 0, and stack pointers:

IA32_SYSENTER_CS: A 32-bit value. The lower 16 bits are the child of the 0-layer code segment. This value is also used to calculate the stack Selection Sub of layer 0.

2. IA32_SYSENTER_EIP: contains a 32-Bit 0-Layer Code pointer pointing to the first command.

 

3. IA32_SYSENTER_ESP: contains a 32-Bit 0-layer Stack pointer.

MSR registers can be read and written through the instruction RDMSR/WRMSR. The following table lists the register addresses. These address values will remain unchanged in later intel 64 and IA32 processors.

In order to ensure the *** NT we Debug! The NtAllocatevirtualMemory *** function is called by *** nullpointer ***. You need to give *** NT! NtAllocatevirtualMemory ***** indicates that the breakpoint is broken only when the specified process calls the function. ** After the function is disconnected, view the function call stack as shown in **:

The call stack shows that NT is disconnected at this time! NtAllocatevirtualMemory is the kernel function referenced by nullpointer. At this time, the kernel debugging status has been entered.

5.3 reverse analysis nt! NtAllocateVirtualMemory

To debug the win8 kernel, you must combine static analysis and dynamic debugging to mine useful information. First, find the win8 Kernel File. ** Note that the kernel file of the *** win8 *** System in the virtual machine is analyzed at this time, not the kernel file of the *** win7 *** host. **

5.3.1 NtAllocatevirtualMemory parameter confirmation

In the previous debugging, windbg broke at NT! The entrance to the NtAllocatevirtualMemory function. Compare the decompilation results of NtAllocatevirtualMemory functions in windbg and IDA:

After running the command call _ SEH_prolog4_GS, EBP + 8 is the first parameter, and EBP + C is the second parameter, let's look at the EBP value after calling call _ SEH_prolog4_GS, for example:

The first parameter is the Process Handle. This process handle is exactly-1. The second parameter is the base address pointer. Previously, the base address in the program was 4, that is, 0x00000004, view the base address pointer value:

The value is 0x00000004. The third parameter passed in the user State is 0, and the third parameter here is also 0. Other parameters are not listed one by one. That is, the kernel function NtAllocatevirtualMemory is consistent with the user-state function zwallocatevirtualmemory.

 

5.3.2 search for the Zero-page Memory Security Mechanism of NtAllocatevirtualMemory

At the most important moment, next we need to debug NtAllocatevirtualMemory dynamically and perform one step. When we see eax = 0xc00000f0, we will stop:

EAX is assigned by ESI. Let's continue to look up and see where the ESI value comes from.

It can be seen that after the test [edi + 0C4] and H commands are executed, mov esi and 0xc00000f0 will be executed if they are equal.

5.3.3 confirm the zero-page Memory Security Mechanism of NtAllocatevirtualMemory

We have already found the place where 0xc00000f0 is returned. Next we will look at the condition judgment. EDI = 0x84b2ac80 is the address of the EPROCESS. We can see from the EPROCESS results:

The position at which the structure eprocess offset 0xc4 is exactly the mark Vdmallowed. The value is 0, and the value of [edi = 0xc4] is exactly zero after the above 1000000. This causes ESI = 0xc00000f0 and EAX = 0xc00000f0.

** Basically, the security mechanism of ** NULLPage ** in *** NtAllocateVirtualMemory *** has been confirmed, check the flag space of *** VdmAllowed ** \ * In *** EPROCESS. **

Determining conditions determining locations

Judging from the statement, V76 should be the base address in the parameter, and V14 should be the EPROCESS address. Let's take a look at the source of these two values.

It can be seen that v76 is the baseaddress; V14 traces back to the keGetCurrentThread. in Kernel mode, FS points to the KPCR (Kernel's Processor Control Region) structure. That is, the starting point of the FS segment is aligned with the KPCR structure. Let's take a look at the location of the KPCR structure offset of 124.

The figure shows the structure address of the current thread at the offset of 124. This can also be confirmed by viewing the implementation of the function KeGetCurrentThread, for example:

 

 

The thread structure address + 128 (0x80) is the kernel address of the current process, as shown in:

Then, the NtAllocateVirtualMemory function checks the process structure address offset 0xC4 value and 0x000000 for security.

So far, the NtAllocateVirtualMemory function has completely analyzed the zero-page memory protection mechanism. Summary:

Determines whether the base address is less than *** 0x1000000, determine whether the *** Vdmallowed *** mark of the kernel structure *** EPROCESS *** is *** 05.3.4 used to find other zero-page memory protection features in the kernel function

Through NtAllocateVirtualMemory Reverse Analysis and Dynamic Tracking, we understand the zero-page memory protection mechanism in win8. In addition to the NtAllocateVirtualMemory function, is there any other function in the kernel that performs a security check on the zero-page memory?

By searching for the Zero-page memory protection mechanism in the entire NT kernel file, several functions containing zero-page memory are found. The search results are as follows:

In other words, in addition to NTAllocateVirtualMemory in the kernel file, there are four functions to detect the zero-page memory:

MiIsVaRangeAvailable: MiMapViewOfPhySicalSection MiMapLockedPagesInUserSpace MiCreatePebOrTeb

These four functions are not all export functions. That is to say, in kernel programming, some of the export functions we use call one of the four functions internally, it has performed a zero-page memory check internally.

6. Conclusion

This article first introduces what is the Null Pointer Vulnerability, and then analyzes the zero-page memory protection mechanism in windows.

Null Pointer Vulnerability:

 

Security Protection against zero-page memory: checks whether the allocation page is in zero-page memory. The *** VdmAllowed ** \ * flag in the ** check *** EPROCESS *** structure. In the future, the zero-page memory protection in ** Win8 ** ensures that no space is allocated in the zero-page memory, and relieves the zero-page Memory Allocation Vulnerability, the NULL pointer vulnerability caused by zero page memory allocation is only one of the many Null Pointer Vulnerability types. Zero-page memory protection cannot alleviate all NULL pointer vulnerabilities.